Credit: Post based on CISSP course presented by Dennis Lee, November 2018
In this post, we are going to cover some basic terminology, then review different types of multi-factor authentication, review Biometric authentication, talk a little bit about federated identity management and then end with a summary review of different types of access controls.
So, starting with terminology:
- Identification is to announce oneself to a system or a facility.
- Authentication is to verify users of a system or a facility
- Authorization is the act of enforcing permissions for each user
- Accountability is to track a user’s activities
Users authenticate based on one or more of the following factors:
- Something they know (a password)
- Something they have (an ID)
- Something they are or do (biometrics)
To be Two Factor Authentication (2FA), a user must use 2 out of 3 of the above. Multi-Factor Authentication (MFA) means a user can use 2 of the same type of factor listed above (i.e. MFA could mean that you just have to enter two passwords, or a password and a PIN).
Tokens can be used to create one-time passwords. A token is also known as a session password or a dynamic password vs. a static, reusable, or fixed password.
There are two types of tokens: Asynchronous Tokens
And Synchronous Tokens (typically based on time):
So now let’s talk about biometrics – i.e. “What you are”. There are two types of Biometrics:
- Physiological / static biometrics measure a unique, personal feature such as your fingerprints.
- Behavioral / dynamic biometrics measures something you perform that’s unique to you such as your voice, hand signature, keystroke dynamics, walking gait, etc.
When comparing biometric systems, we typically look at Error Rates and again, there are two types:
- Type I Error (aka False Reject rate error) is when a system rejects the correct/valid user.
- Type II Error (aka False Acceptance rate error) is when a system accepts the incorrect/invalid person.
A trick to help you remember Type II is that it is FAR worse II let someone incorrect in!
The Crossover Error Rate is a percentage calculation measuring the accuracy of a biometric device. The smaller the percentage, the lower the false positive rate and the more accurate the device.
Federated Identity Management (FIM, not to be confused with File Integrity Monitoring) is the capability of managing a user’s identity across multiple, distinct, identity management systems. An example is using your Google login information to authenticate with Pintrest.
A Federated Login is a form of Single Sign On (SSO) dealing with internet services. Examples include OpenID, PayPal, Facebook, Google, etc.
Security Assertion Markup Language (SAML) is an XML based format for exchanging security information for SSO. It only provides a message format to authenticate a user and must be used with protocols that perform SSO. Again, examples include OpenID, Kerberos, Facebook, etc. SAML is a browser based component for SSO, not a system for SSO itself.
Oauth (Open Standard for Authentication) is a standard allowing 3rd party websites to gain access to resources without exchanging username and password if both sides support Oauth. The 3rd party website requests a token from the website that holds the user’s resources and if the user authorizes the transaction, a temporary access token is issued to the requesting website. An example of this is when Google maps requests access to your Uber account to book a ride.
As promised, here’s a summary of different types of Access Controls – note this is NOT an exhaustive list.
| Control | Description |
|---|---|
| Mandatory Access Control (TCSEC Level B1) | Access is determined by an Access control policy, Classification labels (for objects), and Clearance labels (for subjects) |
| Discretionary (TCSEC C1) | Access is determined by the owner of the asset |
| Non-Discretionary | Access is maintained by the custodian / system |
| Rule Based | Access is based on policies |
| Role Based | Access is based on job functions |
| Content Dependent | Access is based on what needs to be performed on database records |
| Time Based | Access is based on schedules |
| Constrained User Interface | Deliberately restrict access based on conditions such as: Age, Location, Ability to Pay, etc. |
Excellent Tips 